FIPS 140-3 support with BC FIPS 2.0.x libraries#139319
Merged
ebarlas merged 20 commits intoelastic:mainfrom Dec 19, 2025
Merged
FIPS 140-3 support with BC FIPS 2.0.x libraries#139319ebarlas merged 20 commits intoelastic:mainfrom
ebarlas merged 20 commits intoelastic:mainfrom
Conversation
82479bb to
e41d870
Compare
Collaborator
|
Pinging @elastic/es-security (Team:Security) |
Collaborator
|
Hi @ebarlas, I've created a changelog YAML for you. |
Collaborator
|
Pinging @elastic/es-delivery (Team:Delivery) |
jfreden
reviewed
Dec 17, 2025
Contributor
jfreden
left a comment
There was a problem hiding this comment.
PR looks great! I just have a comment on testing.
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
Outdated
Show resolved
Hide resolved
szybia
added a commit
to szybia/elasticsearch
that referenced
this pull request
Dec 19, 2025
* upstream/main: (25 commits) Add spec for project routing CRUD REST API endpoints (elastic#139634) Implement AllSupportedFIeldsTestCase for TDigest (elastic#139744) Mute elastic#139802 (elastic#139803) fix(logsdb): batch bulk indexing to prevent OOM in challenge tests (elastic#139770) Documentation for semantic_text auto pre-filtering (elastic#139749) Always do bulk scoring for rescoring when possible (elastic#139777) Optimize script sorts that do not require query scores (elastic#139748) Bump versions after 9.1.9 release Update branches.json for 9.1.9 release Bump versions after 9.2.3 release Prune changelogs after 8.19.9 release Bump versions after 8.19.9 release Update branches.json for 8.19.9 release Finalize docs for v9.2.3 release (elastic#139795) ESQL: Added timezone support to date_format and date_parse (elastic#138517) Update branches.json for 9.2.3 release Finalize docs for v9.1.9 release (elastic#139796) Switch inline stats to GA in docs (elastic#139753) Validate license in CPS (elastic#139105) FIPS 140-3 support with BC FIPS 2.0.x (elastic#139319) ...
breskeby
reviewed
Jan 5, 2026
| @@ -0,0 +1,12 @@ | |||
| config: | |||
| allow-labels: | |||
| - test-fips-140-3 | |||
Contributor
There was a problem hiding this comment.
I think this should just be test-fips. And we should run against both fips versions when applied.
Contributor
There was a problem hiding this comment.
We also need to add coverage to our periodic pipelines as in
and
Contributor
Author
There was a problem hiding this comment.
I have a separate follow-up PR for that: #139909
ebarlas
added a commit
to ebarlas/elasticsearch
that referenced
this pull request
Jan 14, 2026
Comprehensive changes for the addition of FIPS 140-3 compliance with Bouncy Castle 2.0.x: - Testing with BC FIPS 2.0.x activated with Gradle build property - FIPS Docker image activated with Gradle build property - ES launch verification of BC FIPS provider - Buildkite jobs activated with test-fips-140-3 label
This was referenced Jan 15, 2026
Merged
ebarlas
added a commit
that referenced
this pull request
Jan 20, 2026
1. Update plugin-cli tool to isolate BC (#138949) - Introduce bc sub-project library to encapsulate BC dependencies and shading. Update plugin-cli to use this new library. 2. FIPS 140-3 support with BC FIPS 2.0.x (#139319) - Comprehensive changes for the addition of FIPS 140-3 compliance with Bouncy Castle 2.0.x - Testing with BC FIPS 2.0.x activated with Gradle build property - FIPS Docker image activated with Gradle build property - ES launch verification of BC FIPS provider - Buildkite jobs activated with test-fips-140-3 label 3. Periodic FIPS 140-3 buildkite pipelines (#139909) - Add periodic FIPS 140-3 buildkite pipelines - Use test-fips allow-label for CI
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR has comprehensive changes for the addition of FIPS 140-3 compliance alongside existing FIPS 140-2 compliance.
Summary
Compliance Testing
build-tools-internal/src/main/groovy/elasticsearch.fips.gradleto include FIPS 140-3 testing modetests.fips.enabledGradle build param for activating FIPS testingtests.fips.modeGradle build param with default value140-2tests.fips.mode=140-3, BC 2.0.x JARs are configuredDocker Image
distribution/docker/src/docker/dockerfiles/cloud_ess_fips/Dockerfilefor FIPS 140-3docker.fips.versionGradle build property todistribution/docker/build.gradledocker.fips.version=140-3, BC 2.0.x JARs are included in the Docker imageBuildkite
test-fips-140-3ES Launch Verification
<name>:<version>format forxpack.security.fips_mode.required_providerssettingbcfips:2*)2*)Test Exclusions
plugin-clitests are excluded in FIPS mode since BC FIPS versions are no longer aligned